Cheap connected home devices threatening our security and privacy
The evolving Internet of Things (IoT) poses a serious security and privacy threat to both Internet users and access providers. All these cheap little devices that we order en masse from online marketplaces all over the world and connect to our home networks without a second thought provide easy-to-exploit attack surfaces. Given the fact that most of these devices will never in their lives receive a software update -- the smallest ones don't even have the memory to perform such a thing -- it's not a matter of if but when malicious parties find their way into your home network.
Hacked devices then serve as springboards to infect other devices and upstream systems. Or they become part of botnets collecting valuable data, sending spam, and launching Distributed Denial-of-Service (DDoS) attacks from the access network. They may even penetrate company networks and servers when we are working from an infected home network.
A sea of unmanaged home devices
Taking into account that the IoT will soon comprise tens of billions of networked devices, of which a large portion will be unmanaged machine-to-machine (M2M) home devices, the security and privacy risks will affect all Internet users. Over the next few years the number of networked devices in a typical "connected home" is expected to run in the dozens. If we don't take measures to mitigate the risks involved with this new hyperconnected world, we may very well lose control over our smart homes. As a consequence, Internet users will run a high risk of becoming victims of ransomware, identity theft, theft of valuable information and assets, and the publication of sensitive and private information.
Anticipating this imminent future in which our environment will be infested with unmanaged devices, we have developed software that allows end users and access providers to maintain control over all the devices connected to the home network. The software bears the name SPIN -- short for Security and Privacy for In-home Networks -- and provides end users with an interface that shows all devices connected through the home gateway and their traffic flows. Users can drill down to get more information on a specific device, and use the resulting pop-up to ignore, rename, block, or whitelist this node. Access providers can be provided with the same insight and functionality from their side of the gateway, and add an interface that allows them to easily integrate SPIN into their existing security management infrastructure and self-help portals. The SPIN software itself can directly be incorporated into any home router (CPE) by the manufacturer as part of an OpenWrt/Linux image.
You can find more detailed information on SPIN in our white paper 'Managing unmanaged home devices'. If you want a first-hand experience of SPIN's features, a binary image for the Raspberry Pi is readily available for download.